Aligning ICANN Policy with the Privacy Rights of Internet Users
05 September 2014 - A Workshop on in Istanbul,Turkey
This is the output of the real‑time captioning taken during the IGF 2014 Istanbul, Turkey, meetings. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> PRANASH PRAKASH: Shall we start?
Good morning. Thank you for coming by for this panel on ICANN processes and privacy issues.
My name is Pranash Prakash with the Yale Information Society Project as well as with the Center for Internet and Society. Today we have a fabulous lineup of renowned experts on this issue who fill different roles in the ICANN system and who have very strong opinions about privacy related issues one way or the other.
So I will, since we started late I'll keep my comments very brief. I'll just tell the order in which the panelists will go. First, Michele Neylon; second, Paul Diaz; third, Monika. Fourth, Richard sitting to my right. Fifth, Stephanie ‑‑ no. And then fifth will go Sjoera and then Stephanie. Each will make their remarks introducing their points of views and then we will have an open discussion bringing in the audience and myself.
>> MICHELE NEYLON: If I speak too quickly wave madly or something. Because I have ‑‑ no, you behave, Rafik. I generally have two speeds, ridiculously fast or even faster.
Just to explain who I am, I am the founder and CEO of Blacknight Internet Solutions, a registrar based in Ireland. Which means that we are a hosting company within the ICANN space. I happen to be the Chair of the Registrar Stakeholder Group, though I am not speaking in that capacity. I am also on the board of the Internet Infrastructure Coalition and various other entities and organisations and things.
To put this in context what we are talking about here in this session is to do with gTLDs, generic top level domains, Infobis plus all the new top level domains such as .ninja, .social and things like that which of course we sell if you go to our website.
We are not talking about country codes. We are not talking about stuff around say .FR, .DE, .UK or any of the other countries. ICANN does not have control over policies involving country codes.
The entire thing around privacy and ICANN policy really came to a head with the introduction of the 2013 RAA. The RAA is the contract between registrars, companies like mine, and ICANN. ICANN being the Internet cooperation for assigned names and numbers which is a California‑based, yada yada yada who have an overseeing role with regard to names and numbers, but we really only care about names.
The contract mandates the information that registrars such as ourselves have to collect and also mandates a certain amount of data that we have to display in what is known as WHOIS. It also mandates how long we are meant to hold on to that data.
Which is, of course, ram, slap, bang into various other things that other people on this panel are more qualified to speak about than I am.
WHOIS as a concept, it is a directory. It is a way to get information about which entity or which person a resource has been assigned to. Originally this started out as being something to address a purely technical issue. So you had a network operator in one part of the world, a network operator in another part of the work. If there were communications issues between the two networks it would be useful to know who the hell to yell at, ring or whatever, to sort out those problems.
Over time, the WHOIS has evolved and depending on who you are, you will use it for a variety of different reasons. And there's an entire debate and debacle about what it could be used for or what it is used for.
In the IP address space there is WHOIS as well. That has evolved quite a bit over time but is more limited in scope in that it is primarily dealing with a technical resource. I think that covers anything I had to say.
>> PRANASH PRAKASH: Thank you very much, Michele. Paul?
>> PAUL DIAZ: Paul Diaz, Public Interest Registry, vice‑president of policy. We are the operator of .org. We also currently operate three IDN versions of ORG and hope to soon bring to market a new TLD for nongovernmental organisations. So NGO and romance language equivalent, ONG. Like Michele, I serve on the Executive Committee for the registry stakeholder group. I'm the Chair, and before working for PIR I spent ten years at Network Solutions. So I have registrar experience as well.
To frame and set and begin to paint the picture here, Pranesh asked me to speak about the different between thick and thin WHOIS. A lot of our discussions today will be focused on WHOIS. To make sure everybody understands, except for two legacy TLDs, common net that operate as a thin model, everybody else operates as a thick registry operator or thick WHOIS operator. What that means is that the registry has a responsibility for publishing the information that appears for the names under their management.
That data, however, is provided by their accredited registrars. In my case, .org, Michele's Blacknight will push to us the information required under our agreement with ICANN to be publicly posted in the gTLD space you can have privacy and proxy registrations as well. So information is published. It may be my personal name, address, et cetera. Or if I subscribe to a privacy service, you may see my name or not. And then in all likelihood you would see contact information for the provider of that privacy service.
It creates a lot of confusion down the road. Understand the universe is thick. It means that the registry operator is responsible for publishing the authoritative source as opposed to a thin model where you go to the registrar anyway. But ultimately that contact information is collected by the registrars, not the registries. That leads to a lot of customer service questions from my organisation, folks asking I need to get in touch with so‑and‑so because they are doing something in .org and we have to refer it because we don't have that data. We are not the original collector, just the publisher.
I also ask to make note, we want to be careful about acronyms. I signed a contract with ICANN called a registry agreement, RA. Registrar sign an accreditation agreement, RAA. In turn they will have a side agreement with us. Another acronym that doesn't matter platform the important one for our discussions today is the RAA. There have been three flavors over time. The original ones dated 2001. All those subsequently were taken over by either 2009 or more recently 2013. Very importantly, and again we will get more into detail, there was a push from parts of the ICANN community, drove ICANN to negotiate with the registrars to update. Ultimately we got in the 2013 version. That RAA has additional requirements: Verification, like requirements but they are in there nonetheless. Also pass‑through obligations. In the past resellers who are not contractually bound to ICANN could be used as a loophole for certain obligations. That has been addressed in the 2013 to some degree or varying degrees. Very importantly the 2013 RAA is also a requirement for any registrar that wants to offer new TLDs. So this was a big stick that ICANN used to push through the agreement. Folks who wanted to offer the new ones must be operating under 2013. I can still work with a registrar who is still on 2009 for .org but I would not be able to work with them for 2013. It was supposed to bring in consumer confidence for protection measures to the market. That remains to be seen, but it is a requirement. I think I'll leave it there. Covered.
>> PRANASH PRAKASH: Thank you very much, Michele and Paul, for giving us this basic low‑down on what the WHOIS system is, how it works and the important distinctions that we must keep in mind while carrying forward this debate.
Next we have Monika ‑‑ sorry, I will massacre your last name. Please introduce yourself and the report that you are reporting on.
>> MONIKA ZALNIERIUTE: Thank you very much. Hello, everyone. Yeah, my, Monika Zalnieriute. I'm a Fellow at the Research Center for Internet and Human Rights. I participate on this panel and in IGF as a privacy expert for the Council of Europe.
Today I am so happy to be invited also on this panel. Today I would like to briefly present to you the Council of Europe report that has been recently released, which we wrote together with Thomas Schneider about ICANN's procedures and policies in the light of human rights and fundamental freedoms.
Although the opinions expressed in this report are ours rather than representing the opinion of the 47 Member States, but without going into too much detail I would like to just briefly highlight maybe the main findings and main methodologies that we adopted to say that what we have now within ICANN from data protection perspective is very, very bad. So as it was mentioned earlier, the register, the RAA, it was already explained what it is. It was adopted with a very strong pressure and lobbying from the law enforcement agencies and especially the five Is, intelligence agencies at the expense of the privacy considerations, we argue.
As you all know, after the contract has been terminated with the domain name owners, the data is, personal data, a great variety of data is still kept for two years in order to have potential access by the law enforcement agencies.
What we do with this information and these mechanisms of the ICANN, we try to excise them from the Council of Europe. We only try to examine and highlight the issues that would be critical and relevant from the European perspective. That's why we examine Strasbourg and Luxembourg's jurisprudence. This leaves colleagues from other countries very unhappy but nonetheless this is a Council of Europe work. That was our main goal.
So we tried to remind GAC members as well as other important stakeholders within ICANN that pretty much these rules do not really comply with any international data protection standards or the jurisprudence developed by these two important courts. We tried to highlight that there is this test developed in Strasbourg that any interference with privacy rights must be in accordance with the law, must have a legitimate aim and must be proportionate. To start with, there seems to be no statute that would purport such retention of data. Thus the first requirement of the test seems to fail. The second one is actually accepted as a legitimate aim and we do not really dispute that. What we dispute is the proportionality and necessity in the democratic society. Here we bring into parallel the latest decision of the European court of justice. I'm sure you know about it. This is a digital rights Ireland case where the data retention directive was invalidated because of its disproportionate effect on privacy rights. We draw a parallel to this and claim this is very similar. Even if it would satisfy all the other requirements, this one would definitely fail.
Two years after the contractual basis is no longer valid is rather disproportionate. And if the Member States and the countries would like to have data retained for long periods, it is for them to actually innate the legislation that would stipulate this. So this would reflect the traditional jurisprudence developed in the Strasbourg court. We also are applying the very, very standard data protection rules which claim that there is a purpose limitation principle, which means that the data that is collected for one purpose cannot be used for another. This is what we have in the ICANN. RAA. Finally, we also have a look at the voice database where third‑party access is rather unlimited and say that this is also not really in compliance with any international standards on data privacy.
So I think I'll keep it short and give it to the other panelists and maybe later we can have a discussion. But this was the idea to highlight where maybe all the mechanisms and policies in place at the moment would not be in compliance with international law and actually with the whole framework of European data protection. So thank you.
>> PRANASH PRAKASH: Thank you very much, Monika. If you could ask you to briefly touch upon what third‑party services you mentioned?
>> MONIKA ZALNIERIUTE: Okay. So how it works is that in the Hoy database there is a variety of data kept of the domain name owners which is accessible to pretty much anyone because it is available online.
And it goes into sharp contrast with the idea that a third‑party access needs to have a lot of safeguards from the data protection regime, at least in Europe.
In many cases you either need to have a public office function to be able to do it for administrative purposes or in other cases you would need to have a court order to actually access the data kept by other organisations, be that private or be that public. This goes into very sharp contrast.
>> PRANASH PRAKASH: Thank you very much. Now, Richard who is from Europol, Richard, do you agree with what Monika said about disproportionality?
>> RICHARD LEANING: My name is Richard Leaning. I'm the law enforcement officer from the U.K., Europe Pol, the European Crime Center, also one of the officers who put together the recommendations for the new RA 2013.
But our recommendations were just recommendations. And it was adopted by the ICANN community going through due process. Whatever is in the RAA 2013 was adopted by the community, not just by law enforcement pushing it. So you have to be quite ‑‑ yeah. You have to be quite careful in the words we use. It is not law enforcement that said we wanted, we would like. It went through due process of the ICANN community which is where we got the RAA2013.
Regarding the privacy side, yeah, everyone is right to privacy. The problem we have as law enforcement officers, say I'm a cop, street cop dealing with crime, all types of crime that has presence on the Internet. That's either IP addresses or domain names. We have trouble identifying people with responsibilities for the domain names. The WHOIS at the moment is not accurate. If I took it at face value I spend have of my name in Disneyland looking for Mickey Mouse because that's who registered most of the domain names. We welcome the process that Michele and his team has done. There has to be a compromise among the needs. It's not just law enforcement. There are other actors out there who need accurate WHOIS for a start.
There are loads of things out there that the public would need to be safe about. So yeah, I agree that maybe this is a pendulum. So I'm interested in having ‑‑ the thing is, I've come here to understand what the concerns are.
>> PRANASH PRAKASH: Could you give us a couple of examples of how WHOIS's detail has been found useful in law enforcement in cases, et cetera?
>> RICHARD LEANING: It has been found useful because some of the bad actors that we are looking at now started when the Internet was very young. And they leave a trace because they didn't know how to wipe themselves clean from an early age.
So there's always an e‑mail address somewhere in there that is good for us, or a telephone number or a physical address or a user name. There's always something in there.
But it proves the negative as well because sometimes domain names, you can see a pattern of how they have been registered, where they have been registered, payment, all this type of thing. So it is a useful tool. It is one of many tools that we use in our investigations. But it is just one. If we can try and make that one a little bit more accurate, it will help us in building up all of our avenues.
>> PRANASH PRAKASH: One last question for you before we move on. If you had privacy proxies which allowed you to mask your identity while purchasing a domain name and privacy proxies that allowed the use of Bitcoins, say, what is your opinion about that?
>> RICHARD LEANING: That is going to be an issue. The bottom line is, we would like to know who has responsibility for that domain name. If it is behind a proxy service, we would go to the proxy service and ask if they have accurate data which they probably do, or, but if you have a domain name common sense suggests that someone must know who is responsible for that domain name.
>> PRANASH PRAKASH: Next up we have Sjoera Nas, who is from the Article 29 Working Group, Working Party. I think we finally have a good debate going. Where do you stand on this debate?
>> SJOERA NAS: Yes, thank you very much for having me. So I personally work for the Dutch data protection authority but am here to represent the Article 29 Working Party, which is the name of the collaboration of 28 individual data protection authorities in Europe. We write opinions and we wrote a number of letters to ICANN regarding the RAA.
Basically, I think my colleague from the Council of Europe summarized all of our criticism with regard to the data retention obligations in the RAA, namely that it is not proportionate and there is no lawful obligation, legal obligation for registrars to retain these data after the contract has been terminated.
It has been a bit difficult to communicate with ICANN. Like it turned out to be difficult in general to discuss privacy issues with our U.S. counter‑partners because of a basic misunderstanding about the human rights value that we attach in Europe to privacy, as opposed to a more consumer approach in the U.S.
So that has been difficult. We sent this letter, three letters in total saying that really yes, all 28 data protection authorities in Europe think that all parties should get a general waiver from the new data retention obligation.
With regard to the comments made by my colleague from Europol, if I may summarize, you mentioned there has to be kind of a compromise. The police does need access to accurate data. And the public needs to be safe, right?
In my mind you could compare that to the police innocently demanding for a curfew for everybody after 8:00 o'clock at night. That would definitely reduce the crime rate in a country. Certainly after 8:00 o'clock in the evening, right? It is not an innocent suggestion actually, I would suggest. It is quite vital if law enforcement asks in a public governmental forum like ICANN for the need for data to be retained two years after termination of a contract, I do not find that an innocent suggestion in order for a general public need to be safe. I think the police itself should also take these fundamental human rights at heart and not propose such suggestions in the first place but start with a far more proportionate proposal.
I think it is a measure that is way too broad. Therefore, disproportionate. That is the opinion of the Article 29. Thank you.
>> PRANASH PRAKASH: Could you also address how the differences between jurisdictions could be taken care of? Because if, for instance, a law was to be put in place, then it would have to be some kind of either national law or transnational law within a region like the EU but that would still lead to differences. How would that be taken care of?
>> SJOERA NAS: Two short remarks. So first of all, data protection directive is already applicable across Europe. And as data protection authorities we have reasoned and specified why this retention obligation is illegal across Europe. So that is current law.
If Member States would individually want to introduce a retention, it would have to pass parliament but also pass a new strict test created by the European Court of Justice which says that if government wants access for law enforcement purposes to data retained for or collected basically for commercial purposes, then there is a very strict proportionality test, that is the fundmentak data protection which Monika referred to. After this ruling it will be very difficult for Member States in Europe to pass new legislation introducing data retention obligations.
Does that answer your question?
>> PRANASH PRAKASH: Yes. Next up we have Stephanie Perrin, and Stephanie served on an expert Working Group that issued its final report on this and other aspects of WHOIS policy quite recently. And Stephanie also authored a dissenting note to that report.
So Stephanie, could you please tell us more about that? And whether you share the views of the European privacy advocates on this panel?
>> STEPHANIE PERRIN: I think briefly, let me just give you my summary opinion of what's going on at ICANN. Many people have read Alice In Wonderland. There's a companion volume, Alice Through The Looking Glass. I have to say I was recruited from outside ICANN to come in as the privacy expert to the expert Working Group. This was an attempt to solve the 14‑year struggle between the privacy advocates and the Intellectual Property and law enforcement advocates on the other side as to what goes in the WHOIS.
Now, in Alice's Adventures Through The Looking Glass, the title doesn't matter. Basically she is in a backwards world. And I found myself after about six months, I'm busy doing a doctorate at the University of Toronto on why privacy isn't implemented. I said to my thesis advisers, this is a fascinating problem at ICANN. I will move my thesis over to Canada.
ICANN doesn't have privacy in WHOIS. And one of the central problems and shamelessly, I will say if anyone would like to be interviewed, I would like to interview you, if you have been watching ICANN.
Things are backwards. If you are doing something in the public interest, analyzing the relevant laws in what has to, it must be confessed that transborder data flow is a jurisdictional sink hole into which one can fall. It always has been that way, since the early '60s when we started worrying about transborder data flow. For ICANN to just duck that problem and say well, if you don't have a law we are not going to apply it and that law doesn't apply here because it's the State of California. And this contract which we are making the registrars sign is according to the laws of the State of California, that is not acceptable from a public policy perspective in my view.
Now, I did find myself on the Experts Working Group and it is disbanded now. So I don't speak at all as a member of the group except to regale you with my experiences.
But I have been responsible for administering law inside a public organisation, the Department of Communications, which deals with these kinds of issues, although it was so many years ago, it was before the Internet.
I have been responsible for crafting an international standard that Canada came out, a quality standard for privacy. Then we went on and developed a law. Then I worked in the private sector as chief privacy officer. Then I worked in the privacy Commissioner's office as a oversight officer and now looked at it philosophically as a pointy‑headed Ph.D. student. I take a kaleidoscope view of what is happening in ICANN. It's still backwards. I cannot find a lens where this makes sense or is acceptable.
That's a rather brash statement. We did some good things in the expert Working Group report. We said that where privacy law applied, it would apply to that individual. That individual could assert their rights.
Unfortunately, and the reason why I issued a dissenting report we also put a clause in that said in order to basically get a domain name registered, you can send it to the use of the information. This is one of the fundamental problems in privacy in a narrow look at privacy legislation. Legislation that doesn't necessarily focus enough on proportionality and purpose and back it with human rights and have mechanisms to stop coerced consent. So that if you put that kind of clause in, in Canada, for instance, with the law that I'm most familiar with, I cosign away my rights.
So to say that privacy law applied so we are okay doesn't work anymore. You just signed away your rights. That was why I dissented. It was one clause that triggered it. There are a number of other things that are very difficult to put in practice, from a practical standpoint. That's really the lens that I take to these things, from pragmatic implementation perspective in the report.
The one thing that I think is really useful and a step forward and also difficult to enforce is the concept that you have a right to have an anonymous domain registration for purposes of free speech, protection of people who are at risk, and there are all kinds of people at risk if their location is found. And I think that surely I would like to continue to try to work on that project.
So ICANN has created a beast. I'm now hanging around and volunteering my time.
>> PRANASH PRAKASH: Could you, Stephanie, also say a little bit about the recommendations and specifically what happens if someone just goes and registers a domain name under a fake name? What kinds of liability mechanisms arise? What responsibilities lie on registrars?
>> STEPHANIE PERRIN: Well, that would be more of a question for Michele. I can tell you as the privacy advocate here, we have a lot of sympathy for that as a problem. Particularly if I it's my name that somebody is registering as a fake name on their criminal website.
There is no reason for law enforcement and privacy not to be at other ends of the table on this. I think we are very aligned on many, many issues. I would totally agree that the data retention is disproportionate and the data retention doesn't necessarily catch the guy using the fake name, taking my maim name. It is no good. I would like to see, having worked in government, I want to see the actual results of the risk mitigations that we put in place. And if we measure the results, how many times that escrow data has actually been useful for the purposes that are cited? I'm sure it's useful for intelligence, but intelligence is not one of the stated purposes, you know? Criminal investigation is supposed to be why you are escrowing that data. And I would like to see the reason for some of the metadata that they are collecting.
Now, as an adjunct, if I may go on a rant here and please interrupt me with questions, but as an individual out there when you register your domain name, do you have a clue that the metadata about your transactions with your registrar is being gathered? You don't even know what that metadata might be. You know, you assume when you see something: Oh, well, must be something to do with a root server. Please don't explain it to me. I don't want to know.
But these things are really important from a criminal investigation. As I always used to say, if it's good enough to get the FBI to my door, I want to know about it. Okay, inadequate explanation of what the data is being collected for and used for.
>> PRANASH PRAKASH: Thank you very much, Stephanie. Next we have Joy Liddicoat from the Association for Progressive Communications. Amongst the many, many hats that Joy wears as a lawyer, she is also on the board of Internet NZ which manages the Dot NZ TLD. CcTLDs have been conspicuous by their absence in this discussion because most of ICANNs policies don't directly apply to them. But privacy concerns still arise.
Joy, could you give us perspectives on that?
>> JOY LIDDICOAT: Sure, thank you. A few remarks about my background and perhaps some critical reflection. In the Dot NZ ccTLD space, harkening back to the RFCs which created it, Dot NZ was originally run out of a university with a few geeks with computers thought that somebody might want to use this thing called domain name space. This was back in the 1980s.
Then gradually the amount of up take and registrations started to escalate and this responsibility was handed or entrusted to a new organisation called Internet NZ. So we managed the Delegation and in Internet NZ we had a separate substructure which Delegation is further delegated to the domain name, and it is the organisation that sets the policies, registrar accreditation, WHOIS is a policy privacy in the country code space.
And I was on the board of the subcommittee but I have been elected as vice‑president of Internet Nz so I am off that programme.
We look at this, what is going on in ICANN and we strike gold. We strike gold a lot. We have some of the same registrar accreditation agreement and also a subsidiary which runs the registry and which, from our perspective the WHOIS database was really originally created out of the sense of responsibility for transparency. In other words, here we were managing a public resource and we wanted to have, in the domain information about who the domain name holders were. It's also one of our obligations under the RFC1591 and related standards.
And for sure, we, back in the 1980s we weren't really thinking about privacy in the way that we are now. However, we have developed privacy related policies. We periodically check the WHOIS database for accuracy. And have been known to request registrars, where we had concerns, to make sure that the rest of the data is accurate as it can be.
But we are fortunate in that space because we had very strong nationality legislation on privacy and exceptionally competent Commissioner, John Edwards who is very familiar with the topics and interested.
So we don't suffer from the same problematic nature of which privacy standard to apply. Because we aren't bound by ICANN commitments. We have a letter of agreement with ICANN. Recognizing our role as a ccTLD operator, but I do foresee that we are going to run into problems. Increasingly in the ccTLD space we see ICANN accredited registrars wanting to offer services in the ccTLDs space and being accredited as and we have more than 70 registrars accredited in our ccTLD, which is amazing given there are only about 80,000 people living in New Zealand. We recently opened up the second level domain so you can directly register and it is generating interest in this space.
I don't think we are looking at ICANN policy in this critically. We are not comfortable with how the registrar accreditation agreement was negotiated. Definitely we were noncommercial users, but definitely concerned about the back door negotiations and the in‑secret negotiations that happened around the accreditation. We don't do that as a ccTLD. We publish the registrar agreements with proposed changes for people to see and comment on. I think there have been some flaws, deep flaws in the ICANN process which maybe could have learned from a few ccTLDs about how to do that. So I'll leave my remarks there.
>> PRANASH PRAKASH: Thank you. I would like to open up the panelists to ask each other questions. And along with that, if folks in the audience have questions and remote participants have questions, could you start formulating them so that we can get to you soon?
Would any of the panelists have rebuttals or further questions for each other? I have a few for you.
>> RICHARD LEANING: You know, we are at opposite ends of the table but we are very close in what we want and would like. Regarding the RAA, our engagement with ICANN is with the rules that were in place at the time. We don't make the rules. We play by the rules. We didn't have secret meetings or underhanded discussions. We did through our GACs our recommendations board, they were accepted through the processes of ICANN.
The bit I'm interested in is about in a criminal investigation, you're quite right, maybe we should start into evidence why the WHOIS is helpful or unhelpful in our investigations, as the case may be.
The bit I'm interested in, if you are saying that as soon as the contract has been terminated, are you saying that all information should then be deleted? Or I am not sure what you mean by that.
>> SJOERA NAS: Okay. In our letters the Working Party specified that communication details, to store those six months, up to two years after the contract has been terminated, there is no legal ground. But of course, fiscal legislation may apply in different Member States that requires, for example, the fact that take transaction has occurred may be stored for up to seven years, as far as I know in the Netherlands. It differs per Member State. There is always going to be some trace of a financial transaction.
These communication details you mentioned as well, like e‑mail address and phone numbers and nicknames and Skype names and whatever. They just should be deleted immediately according to data protection law, the minute the account is terminated. In some cases even earlier. If you have an account during ten years, an agreement for a period of ten years for a.com domain, it is not very compliant with data protection law to store the original IP address for a period of ten years. That would be excessive.
So it depends on the circumstances, but it won't be the case that data protection law requires all data to be deleted immediately. It is a balancing act which data are no longer necessary to fulfill the contract.
>> PRANASH PRAKASH: And Stephanie, I have one additional question to you. If you could address both this issue and that question, is that free speech, you said, the freedom of expression leads to a desire for anonymity. That it's necessary at times to be able to express yourself freely and this has indeed been recognised by the Supreme Court of Canada as well in a recent judgment.
But when there is such a great amount of choice out there, when it is not just gTLDs that you can register, that you can buy, when you can go to various ccTLDs which have, which gather varying levels of data and to many of which are not very, don't really check the data that is input, for reasons of practicality.
When you can pseudonymously register on various ccTLDs and put forward your ideas pseudonymously, what is the problem that ICANN policies for a few gTLDs?
>> STEPHANIE PERRIN: I have think there's a fundamental problem that there is, the backwards problem is that there is no basic policy of what is in the public it, what data should be collected and what those purposes are. They have to be legitimate. They have to be proportionate. What we have now is a very weird silo effect throughout ICANN, not just in the application. As a simple registrant ‑‑ and I've worked in this business all my career in IT, and I call myself simple because I would not know that the ccTLDs would be a better place to register if I wanted my data not escrowed. How the heck would I know that? Do I have to go to that level of investigation of what is becoming a necessity of life, to have a domain? I don't think so. I don't think that is acceptable. I think the onus is on ICANN to harmonise its policies, not to the lowest common denominator but to the highest level.
So absent that policy we have this weird effect going on where a different stakeholders are doing, and different registries are doing different things.
>> PRANASH PRAKASH: Couldn't some ccTLDs emerge as paragons of free speech, like Canada or Iceland or other countries which are trying to promote that reputation?
>> STEPHANIE PERRIN: But if you're not a fan of the IGF or ICANN ‑‑ and God help me, I wish I weren't sometimes when I'm at ICANN ‑‑ you wouldn't know that, would you? If you are lost in a village in a country in the heart of Africa and you don't get access to the wondrous Canadian privacy enhancing domain registrars, how would you know? I don't think that is a good approach from a sound policy perspective.
President point that I raised my hand about was these constitutional cases. And it speaks to this whole issue of not having a sound policy. So we just had a Supreme Court case finally after 16 years, throw out a provision of the law in Canada that was excessive. That allowed police to get access to telecom information and ISP information and of course registrar information without a warrant. We've got no objection to police going in and getting information, but let's have a process because if you don't have a process you will have abuse. Period, end of statement. The police have as much to lose from abuse. Because when the abuse is discovered, then they can't do their legitimate business. That's why you have procedures, to make sure that everything runs correctly. And the warrant procedure need not be burdensome and need not take time. It also covers the registrar who are being served these things. They too have abuse problems. When you have a back door pipes going into registrars that the population doesn't know about, then you've opened up the security hole for somebody else to get in there.
So that is the kind of fight that we have going on here. And I never thought I would hear myself saying that we need better procedure, but that's what we need in this area. It has to be backed by sound policy.
>> PRANASH PRAKASH: Excellent. Sure, the one last question I will try to get some opinions on in this would be about privacy proxy services. So Paul, dot NGO as a trusted gTLD is planning on not allowing for proxy services. Could you explain the rationale to that? I want one of the panelists to respond to PIR's decision.
>> PAUL DIAZ: Sure. So let me just step back. In dot org as it currently exists, privacy proxy is absolutely allowed. With NGO, not in the marketplace yet, it is still forthcoming, as a new TLD we can set any policies we desire. While it has been communicated on the application and made clear to the community.
Public registry participating for four plus years now, to address the needs, the pain points, the most important is being found because once they are found, they can begin to collaborate online. Very importantly they can bring attention to their cause to help generate donations, you know, finances are always so very important for not for profits.
So we decided as a matter of policy that we would not have privacy or proxy service allowed in NGO. That the information that a registrant puts in as to who is for NGO or ONG must be their own. It's a delicate decision and not taken lightly, given the mission of many of these groups, one can imagine our response to those who say well, they should be able to mask their identity. They have a choice. The choice is dot org. But for the value, the benefit that NGO will bring, having or not having anonymity, not having privacy proxy, didn't make sense for that particular name space.
But again, it is our unique environment or situation. It is not necessarily applicable to other TLDs.
>> PRANASH PRAKASH: And dot NGO also has further information about from WHOIS. There is the directory services, apart from WHOIS. Is that compulsory? Or could an NGO say we don't want to go in for that additional ‑‑ which I recognize as additional payment?
>> PAUL DIAZ: Sure. I don't want this to turn into a sales pitch for NGO, but the directory, your profile page, think of it akin to like a Facebook page. There's very basic contact information there, the kind of information that almost any entity would want to put on a basic website. That's what it is, basically a one‑page website.
>> PRANASH PRAKASH: Any responses to that before we go first to the remote participants and then to the rest of the audience?
>> MICHELE NEYLON: Trying to get the microphone to work would help. Just responding to Paul sort of indirectly. The ICANN does have some processes around policy development. With respect to WHOIS, however, for a variety of historical reasons they tend to be rather broken.
>> STEPHANIE PERRIN: Backwards.
>> MICHELE NEYLON: Stephanie, calm down. We spent the last 18 months together on the ONG. We are overly familiar with ourselves at this point.
At present, the default is public display of all contact data. The thing is, people should not conflate and confuse the collection and the display. They are two separate things.
Now, law enforcement, I will, of course, rip into them as much as possible but I do honestly see that he needs to have access to accurate data for dealing with crime. And we can't avoid that. That's a reality. But there is no ‑‑ I don't understand, I fail to understand and I really find completely disingenuous from those who keep pushing for this fully public publishing of data, I don't understand the logic behind it.
Now, law enforcement, real police, these agents of states, those states to whom we pay our taxes, et cetera, et cetera, guardians of our safety, et cetera, et cetera. They have legitimate reasons, legitimate rights to access data. Of course, you know, within certain bounds. They can't go off pulling out our data just for laughs, but they have a reason to do that.
The problem we're finding in this space, there are lots of other third‑parties, primarily IP lawyers ‑‑ sorry to say it ‑‑ who want to have access to everybody's data so they can protect their trademarks, so they can protect their interests which are primarily commercial. And they want everything to be fully public because they don't have a legitimate right to gain access to the private details.
And I've said this in the past in various fora and I'll say it again. There's an over loading of the WHOIS. It is being used for purposes for which it was never intended. There are lots of third‑parties trying to re‑purpose the data that is being provided. Like if I want to register a domain name I have to provide details. I give up certain rights and I'm perfectly happy with that. That doesn't mean I'm giving my data to some random American company ‑‑ not ICANN specific purpose to go and sell that data to third‑parties, said purportedly to protect consumer interests.
>> PRANASH PRAKASH: Thank you, Michele. I won't take the IP lawyer as a slight against me. I think of myself as access to knowledge lawyer.
>> MICHELE NEYLON: You're all evil!
>> PRANASH PRAKASH: Any remote participant questions so far?
Any audience questions? Please, raise your hands. First ...
>> AUDIENCE: I'm Alex from Privacy International. Two comments. One for Rich Leaning from Interpol. I think if people had better guarantees about their data not being accessed by third‑parties and not used for unintended purposes, people may be more honest about the information they share. That made me think about the effectiveness in having an accurate database. If people had more guarantees they might be more honest in that process.
The second was on the last point about the State being guardians and there to protect us. Unfortunately, states have gone well beyond what has been given to them by law to protect us. They've gone beyond what the law tells them they can do and the right that we as citizens to some extent need to sacrifice for our security. Unless that trust is restored I don't believe people will believe them anymore.
>> PRANASH PRAKASH: I will eel take a couple more questions and come back to the panel.
>> AUDIENCE: Hi, hello. My name is Monica Urr. I'm a journalist. Thanks for the discussion. I would like to challenge, why has this discussion not taken place like five years ago in the governmental advisory Committee of ICANN? Where a data protection official could have challenged like we heard today the law enforcement side about their requests, what they want to have from WHOIS. Because we never had that. And that partly, I think, result the in the whole mess that we saw over the years.
So my question, actually my positive question would be: Will the Article 29 group make an effort to be at the next ICANN meeting? Because I understand WHOIS will be a major topic there. And also the extended versions of WHOIS.
Then I would like to challenge Mr. Leaning. You said there have been no secret meetings, which is not true. I mean, even at the ICANN meetings there were closed meetings of law enforcement for some ICANN meetings it was like for three or four days. I don't know what you did there. Because it was closed. But I know that there came, papers came out with data retention provisions that went far beyond what we see now.
>> PRANASH PRAKASH: And I will take one more.
>> AUDIENCE: Hi. Good afternoon. I'm from Poland. I'm responsible for squaring the circle you mentioned especially when it comes to the retention after the CJ's ruling. Obviously this has much broader implications also when it comes to the question that you are actually addressing when it comes to ICANN.
What I would like you to be a little bit more specific because and help me out how to square that circle and do the balancing act. I agree 100 percent with you that after the CJ's ruling it will be quite difficult.
But now enforcement agencies also in my country say that only the status quo allows us to pursue the criminals, so on and so forth whereas privacy advocates are saying definitely status quo is, cannot be actually sustained. Also in the view of this CJ's ruling.
First of all when it comes to proportionality, it seems for me absolutely clear that retention has been in certain cases abused because certain types of crimes have to be specified, really serious crimes as opposed to crimes which do not necessity that sort of measures. I heard that the German government is trying to square the circle by simply stated that, first of all, there will be some very serious crimes clearly specified. And then there will be no retention across the board. But if the authorities have legitimate concerns, they can ask, for example, for certain data to be retained. Up until the moment when there is a court order to actually release them. I wanted to ask you about the parallel to the whole problem of WHOIS and so on and so forth, especially you representing the group of Article 29 and the gentleman from Europol. Would that be sort of a direction to square the circle, to really specify, to look at proportionality and to look at ways which would actually give us a little bit more flexibility but at the same time guarantees that retention will not be abused?
>> PRANASH PRAKASH: Excellent. If I may add one thing to that is, when mutual legal assistance treats, NLATS to quite an extent been an abject failure, how do we say, for example, if there is a court warrant that comes out from India and the registrar is looking in the U.S., then how do we actually get that process to work which you are describing?
So some of the panelists have now specific questions. I'll start from this side and once we're through I'll come back to the audience for more questions.
>> STEPHANIE Can I just respond to that last question? If we did a really good analysis of the use of the data, understanding, of course, that this is going to probably be not available to journalists, we need to know what kind of investigations actually need two‑year‑old data, escrowed data, bearing in mind that the site is down and dead. There's no relationship with the registrar anymore.
>> MICHELE NEYLON: One thing, Stephanie, to interrupt you, please don't say "escrowed" because escrow is different within the ICANN context. Stored, retained. Because we as registrars have that, but that's just registration.
>> STEPHANIE PERRIN: This is what ICANN is like, folks, in case you were thinking of signing up. It's always more complicated than it looks.
We need to understand what kinds of investigations this is useful for. There is this thing called the data preservation order. If you are doing a long‑term investigation of a whole network of fishy looking sites ‑‑ I don't mean that in the phish, phishing ‑‑ you know, not the anti‑phishing working group, that kind of thing. You can slap a preservation order on that. As my colleague explained, you don't need to take down the sites of the little grandmother with the pictures of her grandchildren.
This is not the same as it was years ago when all this started to roll downhill to see what needs to be done should be done. That will square the circle. Data preservation would solve a lot of your problems.
>> SJOERA NAS: To respond to the call, why didn't Article 29 Working Party intervene five years ago when this process started to be developed, we did actually write an opinion in 2003 and wrote letters in 2006 and 2007, just for the record we were aware.
>> PRANASH PRAKASH: And who were these letters sent to, ICANN or the GAC?
>> SJOERA NAS: GAC is, of course, a Committee within ICANN. We prefer to address the CEO of ICANN because we think it's more efficient to go to the top level. But it is indeed a problem that GAC, government representatives from the Member States, well, maybe were a bit more or better informed, let's be subtle, by the law enforcement demands than by the data protection demands.
Of course in 2005 the world looked completely different. Law enforcement indeed had a voice that was much more heard than data protection. Data protection was basically considered hiding for all the evil in the world. And now the tide has turned and I think data protection concerns are much better heard and especially with such a ruling from the European court of justice which is irrepealable. It is the end verdict. It is not permitted. It's disproportionate. Governments may not introduce such data retention legislation lightheartedly.
That is the other thing from the Polish representative that asked for, isn't there some kind of arrangement you can think of from data protection point of view to combat serious crimes, right? Can I summarize your question like that? I do agree with Stephanie Perrin, there is an alternative which often has been argued for by the Article 29 Working Party which is the quick freeze or the preservation.
Of course, given the necessity of a case is convincing, yes, you may preserve a lot of ongoing data in an ongoing investigation. The problem we have seen in Europe for the past six years after the introduction of the data retention legislation is that there has been no convincing evidence that it has actually contributed in a proportionate way to the fighting of serious crime. The European Commission has sent questionnaire after questionnaire to the Member States. All the Member States came up with is horrific examples. Examples, right, of child pornography, kidnapping. When we look closely at these examples, a lot of these cases could have been solved by starting within that investigation by asking for the available data that were available anyway. Cases of kidnapping, you don't wait for two years of asking who call the mobile phone number of the disappeared child, right?
So we were shocked to see that this was management by speech and by horrific speech, which we all abhor, right, these cases. Now it's time to come up with real evidence like Stephanie said. Thank you.
>> If I can add and top up on this why we didn't have these meetings and these talks five years ago in 2005, I would like to say, I guess, that we have a different rules of the game now since all this will Snowden revelations. I think that privacy is gaining more teeth on the international level now. It is also demonstrated that this is not the first time it has come up in ICANN and in IGF. Stephanie said she has been working on this 14 years and no one listened to her but in ICANN highlighting the privacy issues. That's our responsibility not as geeks or advocates but as citizens of the world to push this further. There will hardly be any better moment for actually having leverage than just now. I hope you all hear me and are with me.
>> Hi. The struggles gone on for 14 years. I have only been working on it at ICANN for a year and a half. I don't think I could take 14 years, you know.
I want to get something done and fast. But I can tell you why nothing has happened from the other side, from civil society side. I should wait until my research is done, but my experience as someone volunteering my time while there are the best Intellectual Property lawyers around sitting across the table from me, and they are getting paid. Meantime, this is not me whining about my expenses not being paid from a year ago. It is me whining about a structural deficit within ICANN. The folks that are there to represent civil society have umpteen things that they are looking at. Free speech all the other processes to get the deep expertise that you need to combat all of the other arguments. Somebody has to volunteer their time. High priced human rights lawyers aren't willing to do that, especially when it costs them money to come. That's a problem.
>> PRANASH PRAKASH: Could we have Richard also responding?
>> RICHARD LEANING: I don't know where to start on my big list of answers.
Yes, to the journalist. Law enforcement have law enforcement eyes at ICANN and they have been closed. They are closed because it's basically a training day where Internet experts basically tell us and ‑‑ train us and some of the colleagues how the Internet works. So at ICANN everyone goes to ICANN from the Internet. So they learn how the domain name stuff works; they tell us how the IPv6 works. That's it, a training day where experts come to us and build our capabilities in how the Internet works.
That is it. It is not any under hand dealing or secret stuff. Common sense would suggest if law enforcement were going to have some sort of secret meeting with ICANN, would we put in it the agenda of the ICANN? Really and say look, we're in this room and it's secret but we'll let everyone know we're there. Really? I know some cops are dumb but we are not that dumb, okay?
So in London, we actually opened up for the morning session and we had a great crowd turn up. By half an hour, everyone was bored and they all walked out. It will be open again in L.A. Please come and see what we talk about. I guarantee you, you will be bored. It's basic stuff to cops on the streets that do not know anything about the Internet.
>> MICHELE NEYLON: Richard, if you don't mind me adding, I have attended some of these. It's called operational security. There is no, there are no secret hand shakes. I have been in the room several times. It is really down to helping law enforcement get a better grip on the technical realities, explaining to them how the ICANN policies and processes work.
I think the reason that they have been closed ‑‑ there's a multitude of reasons for that. Just because a meeting is closed doesn't mean that the people in the room are coming up with crazy conspiracies. I would love it if it was that interesting, but honestly, it is not.
>> RICHARD LEANING: We have listened to the criticism and that's why we will not put down that it's closed. It will be open. It's Tuesday next time in the L.A. Please I'll buy you a cup of coffee and we'll have a chat.
We have done investigations, to answer some of our ‑‑ we use many techniques, many different things about investigations. I could go on for days about the complexity of a criminal investigation some of the things you said, yes, we may have to go back two years because ‑‑ which may sound strange, because the defense have asked us to do something to prove or disprove something that their client has done. I should say, there's a legal system and we have to play by that legal system. Sometimes we have to go back because the defense have asked us to go back, not because the prosecution want us.
I won't go into too much detail, but the thing about the WHOIS is, law enforcement didn't invent the WHOIS. The WHOIS was there. If ICANN and the registrars and registrees are going to have the WHOIS, let's make it accurate. Otherwise, let's not have it. You've got it and all we're saying is, while you've got it, it's meant to identify the people responsible for the domains, let's have it accurate. That's all. We didn't invent the WHOIS. Our suggestion was if you are going to make the effort of getting those details, do you not really think that Mickey Mouse in Fantasyland is accurate is valuable? Verify the details on WHOIS if you are going to have a WHOIS.
Now, do we need a WHOIS? Should the registrars take more responsibility about the WHOIS, should we discuss it with the registrar? The law enforcement doesn't mind where the information is, as long as it's there and accurate and we can go through due process to get the necessary safeguards to get that information.
So basically all I have to say on that.
>> PRANASH PRAKASH: Thank you. So we will take two more questions and we have eight more minutes so we will do them rapidly. We will take the questions and get them answered and do one rapid fire round of closing comments.
>> AUDIENCE: David Vyorst with Eyesight DC. The question for you guys is, do you see any countervailing public right or need to know who registers a domain? To balance against privacy concerns? Should I be able to know who is publishing bad stuff about me?
And if so, how would you balance those two things?
>> AUDIENCE: Is it on? Thank you.
Hi. My name is Chris LaHatte, the ICANN ombudsman. I seem to be by default in charge of privacy issues within ICANN.
There are two issues for me. This is really a request for information as much as anything else. There is privacy within ICANN which is its own topic. And I do in fact get complaints from time to time about the privacy of information which is provided to ICANN for various purposes. And the use that is made of it. So it is not an academic interest. I really want to know some of the answers. And my view is that our policy within ICANN definitely needs attention and revision because it would make my job a bit easier, among other things.